It is often necessary for mobile devices to provide authentication credentials to gain access to a secure server. For example, a mobile device may contain applications that require the assistance of secure servers, such as location-based service (LBS) applications, which require the services of location servers for location determination. Such servers generally require mobile devices to provide authentication credentials before providing the requested assistance.
An authentication procedure could consist of the mobile device creating a credential by encrypting a password to send to the location server as the authentication credential. In such an arrangement, the mobile device would locally store the identifier and password and would encrypt the password before transmitting the encrypted value to the location server. Having the mobile device carry out the encryption may create the risk of revenue loss or security issues, as a hacker may be able to obtain the authentication credential, either from the mobile device itself or during transmission, and use a hacked credential to obtain free services or to disseminate sensitive location information.
Static or predictably changing encrypted values are also at risk from hackers, because they can be reverse-engineered to obtain the password. Because by definition a location server is stationary, a hacker can easily monitor the requests sent to it by a mobile device and use the information collected to reverse-engineer the authentication credential.
Hence, a need exists for improved technologies for authenticating a mobile device.